Re: [openssl-users] Error compiling openssh with openssl

On 11/06/2018 18:14, Michael Wojcik wrote: From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Salz, Rich via openssl-users Sent: Monday, June 11, 2018 08:52 So is there is any other way we can still make it work without disabling FIPS mode ? No. The version of open

Re: [openssl-users] OpenSSL patch for CHACHA cipher support in OpenSSL 1.0.2

Interesting. Yes, I did take a look at Cloudflare patch but wasn't sure if I could use that. Alright. This helps. My only option is to upgrade to OpenSSL 1.1.0 in order to support CHACHA+Poly1305 cipher support. Thanks Rich. -Srivalli On 6/11/18, 1:40 PM, "Salz, Rich" wrote: >Just

Re: [openssl-users] Error compiling openssh with openssl

You will need to patch OpenSSH to not call the SHA256_XXX() APIs directly. To work with FIPS enabled, the EVP API must be used for all crypto operations. -- -Todd Short // tsh...@akamai.com // "One if by land, two if by sea, three if by the Internet." On Jun 11, 2018, a

Re: [openssl-users] OpenSSL patch for CHACHA cipher support in OpenSSL 1.0.2

>Just curious, is there a possibility to patch CHACHA cipher specific > changes to OpenSSL 1.0.2 version still and get SSL handshake succeed? It can be done; CloudFlare posted some patches at https://github.com/cloudflare/sslconfig/tree/master/patches but I think they used the pre-IETF ve

Re: [openssl-users] OpenSSL patch for CHACHA cipher support in OpenSSL 1.0.2

Thanks Matt. Appreciate your answers. Just curious, is there a possibility to patch CHACHA cipher specific changes to OpenSSL 1.0.2 version still and get SSL handshake succeed? I am not looking for an upgrade to OpenSSL 1.1.0 at this point. So, I am interested to know if I can get CHACHA to wor

Re: [openssl-users] Error compiling openssh with openssl

>This is one of several reasons why FIPS 140-2 is a problem. Unfortunately > the FIPS 140-3 effort seems to be moribund, and I haven't heard anything > about "ISO FIPS" in some time. If I understood what was said at the ICMC conference last month, the FIPS 140-3 plan is to just point to th

Re: [openssl-users] Error compiling openssh with openssl

> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of > Salz, Rich via openssl-users > Sent: Monday, June 11, 2018 08:52 > > So is there is any other way we can still make it work without disabling > > FIPS mode ? > No. The version of openssh you are using makes API ca

Re: [openssl-users] OpenSSL patch for CHACHA cipher support in OpenSSL 1.0.2

On 11/06/18 16:44, Srivalli Kuppa (srikuppa) via openssl-users wrote: > 1. Do we have a stable OpenSSL patch that can be applied to OpenSSL > 1.0.2 version to support CHACHA cipher both as a server/client? No. Chacha/Poly1305 support is only available from version 1.1.0 upwards. > 2. Can

[openssl-users] OpenSSL patch for CHACHA cipher support in OpenSSL 1.0.2

Hi OpenSSL team, I am Srivalli Kuppa. I have a couple of questions regarding support of CHACHA and Poly1305 cipher suites with OpenSSL. 1. Do we have a stable OpenSSL patch that can be applied to OpenSSL 1.0.2 version to support CHACHA cipher both as a server/client? 2. Can CHACHA+Poly13

Re: [openssl-users] Error compiling openssh with openssl

* So is there is any other way we can still make it work without disabling FIPS mode ? No. The version of openssh you are using makes API calls that are not allowed in FIPS mode. I suspect later versions of OpenSSH also do this, and therefore “FIPS mode openssh” will require some coding

Re: [openssl-users] Error compiling openssh with openssl

Thanks for the reply. Our appliance is enabled in FIPS mode by default. All these days, we were using openssh 6.2 with openssl 0.9.8. Now we need to upgrade openssl to 1.0.2j. But we would not like to upgrade openssh at this time. So is there is any other way we can still make it work without disa

Re: [openssl-users] Selection of DHE ciphers based on modulus size of DH

Hi, Thank you for the clarifications. Regards, Sanjaya On Fri, Jun 8, 2018 at 4:30 PM, Jakob Bohm wrote: > (Top posting for consistency). > > Once the client receives the TLS1.2 servers choice of DH group, > it can either accept it or abort the connection. > > However if both client and server